--- a/gst_plugins_base/gst-libs/gst/riff/riff-read.c Wed Mar 24 17:58:42 2010 -0500
+++ b/gst_plugins_base/gst-libs/gst/riff/riff-read.c Wed Mar 24 18:04:17 2010 -0500
@@ -161,6 +161,10 @@
GST_DEBUG_OBJECT (element, "fourcc=%" GST_FOURCC_FORMAT ", size=%u",
GST_FOURCC_ARGS (fourcc), size);
+ /* be paranoid: size may be nonsensical value here, such as (guint) -1 */
+ if (G_UNLIKELY (size > G_MAXINT))
+ goto bogus_size;
+
if (bufsize < size + 8 + offset) {
GST_DEBUG_OBJECT (element,
"Needed chunk data (%d) is more than available (%d), shortcutting",
@@ -191,6 +195,11 @@
offset, bufsize, 8);
return FALSE;
}
+bogus_size:
+ {
+ GST_ERROR_OBJECT (element, "Broken file: bogus chunk size %u", size);
+ return FALSE;
+ }
}
/**
@@ -646,6 +655,10 @@
tsize = GST_READ_UINT32_LE (data + 4);
size -= 8;
data += 8;
+
+ GST_DEBUG ("tag %" GST_FOURCC_FORMAT ", size %u",
+ GST_FOURCC_ARGS (tag), tsize);
+
if (tsize > size) {
GST_WARNING_OBJECT (element,
"Tagsize %d is larger than available data %d", tsize, size);
@@ -688,7 +701,7 @@
type = GST_TAG_GENRE;
break;
case GST_RIFF_INFO_IKEY:
- type = NULL; /*"Keywords"; */ ;
+ type = GST_TAG_KEYWORDS;
break;
case GST_RIFF_INFO_ILGT:
type = NULL; /*"Lightness"; */
@@ -747,6 +760,12 @@
}
}
+ if (tsize & 1) {
+ tsize++;
+ if (tsize > size)
+ tsize = size;
+ }
+
data += tsize;
size -= tsize;
}